What I’m about to tell you, it’s a very personal, a very important thing. Hell, it’s a family motto. Are you ready? Here it is: Show me the money. SHOW! ME! THE! MONEY!
A core principle of nearly every business in the world is that they incentivize great performance. This might be a monetary bonus at the end of the year for meeting certain goals. It might be the prestige of earning a trip to Hawaii with all the other top salespeople. It might be an employee of the month parking space. Thereâ€™s a reason that so many different organizations use incentives: because they work.
So why donâ€™t we offer incentives for cybersecurity?
The most difficult part about this is finding measurable ways to reward employees for making security improvements. Measuring the number of times you stop an attack is problematic: simply measuring volume doesnâ€™t necessarily reflect the effectiveness of your protections. And what about the attacks you donâ€™t know about?
Another problem with incentives is that while they can provide the appearance of improvements, they may actually incentivize bad behavior in the form of hiding when problems arise. No one wants to lose a bonus. If fewer issues are reported as a result of employees hiding problems in order to secure their bonuses, your culture of security will be replaced by a culture of secrecy, which will wind up hurting the company in the long run.
We need to start solving this problem yesterday, so here are some ideas to get started:
- One method could be to create a bounty system for discovering potential security issues. Rewards could correspond to the severity of the issue. Another method might be to look for metrics that measure how effective your security is. This has the added benefit of helping you DISCOVER ISSUES!
- Rather than measure the number of people that fell for a phishing attack, for example, you can record how many people reported a phishing campaign and reward employees who spotted them. INCREASE PARTICIPATION!
- Have a company wide awards dinner where you recognize people who had an impact on cybersecurity. Donâ€™t just invite IT people, recognize the admin who spotted the W2 scam or the accountant who stopped a fraudulent wire transfer. This gets EVEN MORE PEOPLE playing a part to improve cybersecurity.
Incentivizing security?Â You had me at “hello”.